Closed
Bug 795899
Opened 12 years ago
Closed 12 years ago
Heap-use-after-free in mozilla::layers::ContainerLayer::ComputeEffectiveTransformsForChildren
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox17 | --- | unaffected |
| firefox18 | + | fixed |
| firefox-esr10 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
People
(Reporter: inferno, Assigned: mattwoodrow)
References
Details
(Keywords: assertion, csectype-uaf, testcase, Whiteboard: [asan][adv-main18+])
Attachments
(3 files)
Reproduces on trunk. To reliably reproduce, run multiple firefox instances on Xvfb screen 1280x1024x24 with this testcase on cmd line.
=================================================================
==32510== ERROR: AddressSanitizer heap-use-after-free on address 0x7fbd8c4c7880 at pc 0x7fbdd3a34512 bp 0x7fffdaa64e70 sp 0x7fffdaa64e68
READ of size 8 at 0x7fbd8c4c7880 thread T0
#0 0x7fbdd3a34511 in mozilla::layers::ContainerLayer::ComputeEffectiveTransformsForChildren(gfx3DMatrix const&) src/gfx/layers/Layers.cpp:812
#1 0x7fbdd39bb0fd in void mozilla::layers::ContainerComputeEffectiveTransforms<mozilla::layers::BasicContainerLayer>(gfx3DMatrix const&, mozilla::layers::BasicContainerLayer*) src/gfx/layers/basic/BasicContainerLayer.h:153
#2 0x7fbdd39b772f in mozilla::layers::BasicContainerLayer::ComputeEffectiveTransforms(gfx3DMatrix const&) src/gfx/layers/basic/BasicContainerLayer.h:217
#3 0x7fbdd3a34596 in mozilla::layers::ContainerLayer::ComputeEffectiveTransformsForChildren(gfx3DMatrix const&) src/gfx/layers/Layers.cpp:812
#4 0x7fbdd39bb0fd in void mozilla::layers::ContainerComputeEffectiveTransforms<mozilla::layers::BasicContainerLayer>(gfx3DMatrix const&, mozilla::layers::BasicContainerLayer*) src/gfx/layers/basic/BasicContainerLayer.h:153
#5 0x7fbdd39b772f in mozilla::layers::BasicContainerLayer::ComputeEffectiveTransforms(gfx3DMatrix const&) src/gfx/layers/basic/BasicContainerLayer.h:217
#6 0x7fbdd396cb71 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/basic/BasicLayerManager.cpp:569
#7 0x7fbdd396b7b7 in mozilla::layers::BasicLayerManager::EndTransaction(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/basic/BasicLayerManager.cpp:509
#8 0x7fbdc74c55ae in mozilla::PaintInactiveLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsDisplayItem*, gfxContext*, nsRenderingContext*) src/layout/base/FrameLayerBuilder.cpp:2017
#9 0x7fbdc74c04e3 in mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*) src/layout/base/FrameLayerBuilder.cpp:3236
#10 0x7fbdd39dcbe4 in mozilla::layers::BasicThebesLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) src/gfx/layers/basic/BasicThebesLayer.cpp:139
#11 0x7fbdd39e0dfe in non-virtual thunk to mozilla::layers::BasicThebesLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) src/gfx/cairo/cairo/src/cairo-surface-subsurface.c:0
#12 0x7fbdd3974465 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:823
#13 0x7fbdd3971bac in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) src/gfx/layers/basic/BasicLayerManager.cpp:944
#14 0x7fbdd3974a51 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:839
#15 0x7fbdd3971bac in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) src/gfx/layers/basic/BasicLayerManager.cpp:944
#16 0x7fbdd396cfd2 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/basic/BasicLayerManager.cpp:588
#17 0x7fbdd396b7b7 in mozilla::layers::BasicLayerManager::EndTransaction(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/basic/BasicLayerManager.cpp:509
#18 0x7fbdc74c55ae in mozilla::PaintInactiveLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsDisplayItem*, gfxContext*, nsRenderingContext*) src/layout/base/FrameLayerBuilder.cpp:2017
#19 0x7fbdc74c04e3 in mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*) src/layout/base/FrameLayerBuilder.cpp:3236
#20 0x7fbdd39dcbe4 in mozilla::layers::BasicThebesLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) src/gfx/layers/basic/BasicThebesLayer.cpp:139
#21 0x7fbdd39e0dfe in non-virtual thunk to mozilla::layers::BasicThebesLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) src/gfx/cairo/cairo/src/cairo-surface-subsurface.c:0
#22 0x7fbdd3974465 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:823
#23 0x7fbdd3971bac in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) src/gfx/layers/basic/BasicLayerManager.cpp:944
#24 0x7fbdd3974a51 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:839
#25 0x7fbdd3971bac in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) src/gfx/layers/basic/BasicLayerManager.cpp:944
#26 0x7fbdd396cfd2 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/basic/BasicLayerManager.cpp:588
#27 0x7fbdd396b7b7 in mozilla::layers::BasicLayerManager::EndTransaction(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/basic/BasicLayerManager.cpp:509
#28 0x7fbdc74c55ae in mozilla::PaintInactiveLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsDisplayItem*, gfxContext*, nsRenderingContext*) src/layout/base/FrameLayerBuilder.cpp:2017
#29 0x7fbdc74c04e3 in mozilla::FrameLayerBuilder::DrawThebesLayer(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*) src/layout/base/FrameLayerBuilder.cpp:3236
#30 0x7fbdd39e49ef in mozilla::layers::BasicThebesLayer::PaintBuffer(gfxContext*, nsIntRegion const&, nsIntRegion const&, nsIntRegion const&, bool, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*) src/gfx/layers/basic/BasicThebesLayer.h:94
#31 0x7fbdd39e409e in mozilla::layers::BasicShadowableThebesLayer::PaintBuffer(gfxContext*, nsIntRegion const&, nsIntRegion const&, nsIntRegion const&, bool, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*) src/gfx/layers/basic/BasicThebesLayer.cpp:400
#32 0x7fbdd39dd7cb in mozilla::layers::BasicThebesLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) src/gfx/layers/basic/BasicThebesLayer.cpp:189
#33 0x7fbdd39e1afa in mozilla::layers::BasicShadowableThebesLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) src/gfx/layers/basic/BasicThebesLayer.cpp:303
#34 0x7fbdd39e213e in non-virtual thunk to mozilla::layers::BasicShadowableThebesLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) src/gfx/cairo/cairo/src/cairo-surface-subsurface.c:0
#35 0x7fbdd3974465 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:823
#36 0x7fbdd39717f5 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) src/gfx/layers/basic/BasicLayerManager.cpp:932
#37 0x7fbdd3974a51 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:839
#38 0x7fbdd39717f5 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) src/gfx/layers/basic/BasicLayerManager.cpp:932
#39 0x7fbdd3974a51 in mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:839
#40 0x7fbdd39717f5 in mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::ReadbackProcessor*) src/gfx/layers/basic/BasicLayerManager.cpp:932
#41 0x7fbdd396cee8 in mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/basic/BasicLayerManager.cpp:584
#42 0x7fbdd396b7b7 in mozilla::layers::BasicLayerManager::EndTransaction(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/basic/BasicLayerManager.cpp:509
#43 0x7fbdd397e1e5 in mozilla::layers::BasicShadowLayerManager::EndTransaction(void (*)(mozilla::layers::ThebesLayer*, gfxContext*, nsIntRegion const&, nsIntRegion const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/basic/BasicLayerManager.cpp:1129
#44 0x7fbdc7786352 in nsDisplayList::PaintForFrame(nsDisplayListBuilder*, nsRenderingContext*, nsIFrame*, unsigned int) const src/layout/base/nsDisplayList.cpp:1098
#45 0x7fbdc7783741 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) const src/layout/base/nsDisplayList.cpp:966
#46 0x7fbdc79113e8 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) src/layout/base/nsLayoutUtils.cpp:1743
#47 0x7fbdc7a5c136 in PresShell::Paint(nsIView*, nsRegion const&, nsIPresShell::PaintType, bool) src/layout/base/nsPresShell.cpp:5323
#48 0x7fbdcb35de9b in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/src/nsViewManager.cpp:436
#49 0x7fbdcb3713e5 in nsViewManager::ProcessPendingUpdates() src/view/src/nsViewManager.cpp:1210
#50 0x7fbdc7ad9845 in nsRefreshDriver::Notify(nsITimer*) src/layout/base/nsRefreshDriver.cpp:431
#51 0x7fbdd313aa5d in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:476
#52 0x7fbdd313be7a in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:556
#53 0x7fbdd30ff580 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:612
#54 0x7fbdd2d91ecb in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
#55 0x7fbdd17db3b6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
#56 0x7fbdd33b7e11 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:208
#57 0x7fbdd33b7c46 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:201
#58 0x7fbdd33b7b2b in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:175
#59 0x7fbdd0c82dda in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
#60 0x7fbdcf8b59b4 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:290
#61 0x7fbdc5f28a4d in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3782
#62 0x7fbdc5f2e8c5 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3848
#63 0x7fbdc5f31774 in XRE_main src/toolkit/xre/nsAppRunner.cpp:3923
#64 0x40d013 in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:174
#65 0x40a755 in main src/browser/app/nsBrowserApp.cpp:279
#66 0x7fbde3e26c4c in ?? ??:0
0x7fbd8c4c7880 is located 0 bytes inside of 616-byte region [0x7fbd8c4c7880,0x7fbd8c4c7ae8)
freed by thread T0 here:
#0 0x4c4af0 in free ??:0
#1 0x7fbde0cb2586 in moz_free src/memory/mozalloc/mozalloc.cpp:51
#2 0x7fbdd39b11cd in operator delete(void*) src/../../dist/include/mozilla/mozalloc.h:224
#3 0x7fbdc74d055b in mozilla::layers::Layer::Release() src/gfx/layers/Layers.h:514
#4 0x7fbdc74df755 in ~nsRefPtr src/../../dist/include/nsAutoPtr.h:874
#5 0x7fbdc7490ac6 in ~nsRefPtr src/../../dist/include/nsAutoPtr.h:872
#6 0x7fbdd3b37410 in ~LayerPropertiesBase src/gfx/layers/LayerTreeInvalidation.cpp:89
#7 0x7fbdd3b3e30a in mozilla::layers::ContainerLayerProperties::~ContainerLayerProperties() src/gfx/layers/LayerTreeInvalidation.cpp:162
#8 0x7fbdd3b3c806 in mozilla::layers::ContainerLayerProperties::~ContainerLayerProperties() src/gfx/layers/LayerTreeInvalidation.cpp:162
#9 0x7fbdd3b3c93c in mozilla::layers::ContainerLayerProperties::~ContainerLayerProperties() src/gfx/layers/LayerTreeInvalidation.cpp:162
#10 0x7fbdd3b377ef in ~nsAutoPtr src/../../dist/include/nsAutoPtr.h:71
#11 0x7fbdd3b37526 in ~nsAutoPtr src/../../dist/include/nsAutoPtr.h:70
#12 0x7fbdd3b3f286 in nsTArrayElementTraits<nsAutoPtr<mozilla::layers::LayerPropertiesBase> >::Destruct(nsAutoPtr<mozilla::layers::LayerPropertiesBase>*) src/../../dist/include/nsTArray.h:360
#13 0x7fbdd3b3f101 in nsTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, nsTArrayDefaultAllocator>::DestructRange(unsigned int, unsigned int) src/../../dist/include/nsTArray.h:1225
#14 0x7fbdd3b3eb68 in nsTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned int, unsigned int) src/../../dist/include/nsTArray.h:945
#15 0x7fbdd3b3e882 in nsTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, nsTArrayDefaultAllocator>::Clear() src/../../dist/include/nsTArray.h:956
#16 0x7fbdd3b3e74e in ~nsTArray src/../../dist/include/nsTArray.h:442
#17 0x7fbdd3b3e639 in nsAutoArrayBase<nsTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, nsTArrayDefaultAllocator>, 1u>::~nsAutoArrayBase() src/../../dist/include/nsTArray.h:1303
#18 0x7fbdd3b3e529 in nsAutoTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, 1u, nsTArrayDefaultAllocator>::~nsAutoTArray() src/../../dist/include/nsTArray.h:1357
#19 0x7fbdd3b3e416 in nsAutoTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, 1u, nsTArrayDefaultAllocator>::~nsAutoTArray() src/../../dist/include/nsTArray.h:1357
#20 0x7fbdd3b3e2fd in mozilla::layers::ContainerLayerProperties::~ContainerLayerProperties() src/gfx/layers/LayerTreeInvalidation.cpp:162
#21 0x7fbdd3b3c806 in mozilla::layers::ContainerLayerProperties::~ContainerLayerProperties() src/gfx/layers/LayerTreeInvalidation.cpp:162
#22 0x7fbdd3b3c93c in mozilla::layers::ContainerLayerProperties::~ContainerLayerProperties() src/gfx/layers/LayerTreeInvalidation.cpp:162
#23 0x7fbdd3b377ef in ~nsAutoPtr src/../../dist/include/nsAutoPtr.h:71
#24 0x7fbdd3b37526 in ~nsAutoPtr src/../../dist/include/nsAutoPtr.h:70
#25 0x7fbdd3b3f286 in nsTArrayElementTraits<nsAutoPtr<mozilla::layers::LayerPropertiesBase> >::Destruct(nsAutoPtr<mozilla::layers::LayerPropertiesBase>*) src/../../dist/include/nsTArray.h:360
#26 0x7fbdd3b3f101 in nsTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, nsTArrayDefaultAllocator>::DestructRange(unsigned int, unsigned int) src/../../dist/include/nsTArray.h:1225
#27 0x7fbdd3b3eb68 in nsTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned int, unsigned int) src/../../dist/include/nsTArray.h:945
#28 0x7fbdd3b3e882 in nsTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, nsTArrayDefaultAllocator>::Clear() src/../../dist/include/nsTArray.h:956
#29 0x7fbdd3b3e74e in ~nsTArray src/../../dist/include/nsTArray.h:442
previously allocated by thread T0 here:
#0 0x4c4bb0 in __interceptor_malloc ??:0
#1 0x7fbde0cb26da in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:57
#2 0x7fbdd39b42f0 in operator new(unsigned long) src/../../dist/include/mozilla/mozalloc.h:200
#3 0x7fbdc74ac836 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList const&, mozilla::FrameLayerBuilder::ContainerParameters const&, gfx3DMatrix const*) src/layout/base/FrameLayerBuilder.cpp:2797
#4 0x7fbdc77d8c68 in nsDisplayTransform::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::FrameLayerBuilder::ContainerParameters const&) src/layout/base/nsDisplayList.cpp:3737
#5 0x7fbdc74b5af4 in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2125
#6 0x7fbdc74ae0bb in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList const&, mozilla::FrameLayerBuilder::ContainerParameters const&, gfx3DMatrix const*) src/layout/base/FrameLayerBuilder.cpp:2870
#7 0x7fbdc77b68ba in nsDisplayOpacity::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::FrameLayerBuilder::ContainerParameters const&) src/layout/base/nsDisplayList.cpp:2574
#8 0x7fbdc74b5af4 in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2125
#9 0x7fbdc74ae0bb in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList const&, mozilla::FrameLayerBuilder::ContainerParameters const&, gfx3DMatrix const*) src/layout/base/FrameLayerBuilder.cpp:2870
#10 0x7fbdc77d8c68 in nsDisplayTransform::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::FrameLayerBuilder::ContainerParameters const&) src/layout/base/nsDisplayList.cpp:3737
#11 0x7fbdc74a2b39 in mozilla::FrameLayerBuilder::AddThebesDisplayItem(mozilla::layers::ThebesLayer*, nsDisplayItem*, mozilla::FrameLayerBuilder::Clip const&, nsIFrame*, mozilla::LayerState, nsPoint const&) src/layout/base/FrameLayerBuilder.cpp:2373
#12 0x7fbdc74b6f2c in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2200
#13 0x7fbdc74ae0bb in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList const&, mozilla::FrameLayerBuilder::ContainerParameters const&, gfx3DMatrix const*) src/layout/base/FrameLayerBuilder.cpp:2870
#14 0x7fbdc77b68ba in nsDisplayOpacity::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::FrameLayerBuilder::ContainerParameters const&) src/layout/base/nsDisplayList.cpp:2574
#15 0x7fbdc74a2b39 in mozilla::FrameLayerBuilder::AddThebesDisplayItem(mozilla::layers::ThebesLayer*, nsDisplayItem*, mozilla::FrameLayerBuilder::Clip const&, nsIFrame*, mozilla::LayerState, nsPoint const&) src/layout/base/FrameLayerBuilder.cpp:2373
#16 0x7fbdc74b6f2c in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2200
#17 0x7fbdc74ae0bb in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList const&, mozilla::FrameLayerBuilder::ContainerParameters const&, gfx3DMatrix const*) src/layout/base/FrameLayerBuilder.cpp:2870
#18 0x7fbdc77d8c68 in nsDisplayTransform::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::FrameLayerBuilder::ContainerParameters const&) src/layout/base/nsDisplayList.cpp:3737
#19 0x7fbdc74a2b39 in mozilla::FrameLayerBuilder::AddThebesDisplayItem(mozilla::layers::ThebesLayer*, nsDisplayItem*, mozilla::FrameLayerBuilder::Clip const&, nsIFrame*, mozilla::LayerState, nsPoint const&) src/layout/base/FrameLayerBuilder.cpp:2373
#20 0x7fbdc74b6f2c in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2200
#21 0x7fbdc74b478e in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2063
#22 0x7fbdc74ae0bb in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList const&, mozilla::FrameLayerBuilder::ContainerParameters const&, gfx3DMatrix const*) src/layout/base/FrameLayerBuilder.cpp:2870
#23 0x7fbdc77bc4c2 in nsDisplayOwnLayer::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::FrameLayerBuilder::ContainerParameters const&) src/layout/base/nsDisplayList.cpp:2670
#24 0x7fbdc74b5af4 in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2125
Shadow byte and word:
0x1ff7b1898f10: fd
0x1ff7b1898f10: fd fd fd fd fd fd fd fd
More shadow bytes:
0x1ff7b1898ef0: fa fa fa fa fa fa fa fa
0x1ff7b1898ef8: fa fa fa fa fa fa fa fa
0x1ff7b1898f00: fa fa fa fa fa fa fa fa
0x1ff7b1898f08: fa fa fa fa fa fa fa fa
=>0x1ff7b1898f10: fd fd fd fd fd fd fd fd
0x1ff7b1898f18: fd fd fd fd fd fd fd fd
0x1ff7b1898f20: fd fd fd fd fd fd fd fd
0x1ff7b1898f28: fd fd fd fd fd fd fd fd
0x1ff7b1898f30: fd fd fd fd fd fd fd fd
Stats: 245M malloced (262M for red zones) by 396542 calls
Stats: 42M realloced by 22212 calls
Stats: 222M freed by 288712 calls
Stats: 90M really freed by 166126 calls
Stats: 456M (116821 full pages) mmaped in 114 calls
mmaps by size class: 8:245745; 9:32764; 10:12285; 11:14329; 12:2048; 13:1536; 14:1280; 15:384; 16:896; 17:1248; 18:144; 19:40; 20:20;
mallocs by size class: 8:319583; 9:38443; 10:13358; 11:16867; 12:2163; 13:1785; 14:1427; 15:340; 16:1048; 17:1307; 18:159; 19:41; 20:21;
frees by size class: 8:227561; 9:29941; 10:10375; 11:13698; 12:1481; 13:1619; 14:1259; 15:302; 16:982; 17:1292; 18:145; 19:39; 20:18;
rfrees by size class: 8:142838; 9:8750; 10:2094; 11:9285; 12:649; 13:516; 14:548; 15:182; 16:794; 17:441; 18:24; 19:4; 20:1;
Stats: malloc large: 1528 small slow: 2168
==32510== ABORTING
|
||
Comment 1•12 years ago
|
||
I can't reproduce the crash in a Linux64 debug+asan build, but I do see many: ###!!! ASSERTION: Layer already in list???: '!mNewChildLayers.Contains(ownLayer)', layout/base/FrameLayerBuilder.cpp, line 2183 (in an up-to-date mozilla-central tree, rev 63b393c1facc) Fwiw, that assertion was also mentioned in bug 785626... so maybe bug 785333 did not completely fix it?
|
Reporter | |
Comment 2•12 years ago
|
||
Mats, you might wanna try >10-12 firefox instances at once on a Xvfb display [Xvfb :1 -screen 0 1280x1024x24 &] and display manager blackbox [DISPLAY=:1 blackbox &]. If it does not reproduce, i can try out a potential patch since it reliably reproduces on my box.
|
|
Reporter | |
Comment 3•12 years ago
|
||
Another similar looking repro with same free stack and reproduces easily with single firefox instance.
=================================================================
==24628== ERROR: AddressSanitizer heap-use-after-free on address 0x7f2ca30dec80 at pc 0x7f2cd011cf8f bp 0x7fff1d00ba70 sp 0x7fff1d00ba68
READ of size 8 at 0x7f2ca30dec80 thread T0
#0 0x7f2cd011cf8e in mozilla::FrameLayerBuilder::ProcessRemovedDisplayItems(mozilla::FrameLayerBuilder::DisplayItemDataEntry*, void*) src/layout/base/FrameLayerBuilder.cpp:954
#1 0x7f2cd015b90b in nsTHashtable<mozilla::FrameLayerBuilder::DisplayItemDataEntry>::s_EnumStub(PLDHashTable*, PLDHashEntryHdr*, unsigned int, void*) src/../../dist/include/nsTHashtable.h:485
#2 0x7f2cdba4ecc5 in PL_DHashTableEnumerate src/objdir-ff-asan-sym/xpcom/build/pldhash.cpp:716
#3 0x7f2cd011b8a2 in nsTHashtable<mozilla::FrameLayerBuilder::DisplayItemDataEntry>::EnumerateEntries(PLDHashOperator (*)(mozilla::FrameLayerBuilder::DisplayItemDataEntry*, void*), void*) src/../../dist/include/nsTHashtable.h:238
#4 0x7f2cd013a2b2 in mozilla::(anonymous namespace)::ContainerState::Finish(unsigned int*, mozilla::LayerManagerData*) src/layout/base/FrameLayerBuilder.cpp:2578
#5 0x7f2cd013091a in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList const&, mozilla::FrameLayerBuilder::ContainerParameters const&, gfx3DMatrix const*) src/layout/base/FrameLayerBuilder.cpp:2875
#6 0x7f2cd043d7f2 in nsDisplayOwnLayer::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::FrameLayerBuilder::ContainerParameters const&) src/layout/base/nsDisplayList.cpp:2670
#7 0x7f2cd0138304 in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2125
#8 0x7f2cd01308cb in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList const&, mozilla::FrameLayerBuilder::ContainerParameters const&, gfx3DMatrix const*) src/layout/base/FrameLayerBuilder.cpp:2870
#9 0x7f2cd043d7f2 in nsDisplayOwnLayer::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::FrameLayerBuilder::ContainerParameters const&) src/layout/base/nsDisplayList.cpp:2670
#10 0x7f2cd0138304 in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2125
#11 0x7f2cd0136f9e in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2063
#12 0x7f2cd0136f9e in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2063
#13 0x7f2cd01308cb in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList const&, mozilla::FrameLayerBuilder::ContainerParameters const&, gfx3DMatrix const*) src/layout/base/FrameLayerBuilder.cpp:2870
#14 0x7f2cd0406598 in nsDisplayList::PaintForFrame(nsDisplayListBuilder*, nsRenderingContext*, nsIFrame*, unsigned int) const src/layout/base/nsDisplayList.cpp:1043
#15 0x7f2cd0404a71 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) const src/layout/base/nsDisplayList.cpp:966
#16 0x7f2cd0592718 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) src/layout/base/nsLayoutUtils.cpp:1743
#17 0x7f2cd06dd526 in PresShell::Paint(nsIView*, nsRegion const&, nsIPresShell::PaintType, bool) src/layout/base/nsPresShell.cpp:5323
#18 0x7f2cd3fe9bfb in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/src/nsViewManager.cpp:436
#19 0x7f2cd3ffd145 in nsViewManager::ProcessPendingUpdates() src/view/src/nsViewManager.cpp:1210
#20 0x7f2cd075ac35 in nsRefreshDriver::Notify(nsITimer*) src/layout/base/nsRefreshDriver.cpp:431
#21 0x7f2cdbde246d in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:476
#22 0x7f2cdbde388a in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:556
#23 0x7f2cdbda6f90 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:612
#24 0x7f2cdba398db in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
#25 0x7f2cda4800bd in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:117
#26 0x7f2cdc061e61 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:208
#27 0x7f2cdc061c96 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:201
#28 0x7f2cdc061b7b in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:175
#29 0x7f2cd992747a in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
#30 0x7f2cd855a054 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:290
#31 0x7f2cceb9b49d in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3782
#32 0x7f2cceba1315 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3848
#33 0x7f2cceba41c4 in XRE_main src/toolkit/xre/nsAppRunner.cpp:3923
#34 0x40d013 in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:174
#35 0x40a755 in main src/browser/app/nsBrowserApp.cpp:279
#36 0x7f2cecb1fc4c in ?? ??:0
0x7f2ca30dec80 is located 0 bytes inside of 632-byte region [0x7f2ca30dec80,0x7f2ca30deef8)
freed by thread T0 here:
#0 0x4c4af0 in free ??:0
#1 0x7f2ce99aa586 in moz_free src/memory/mozalloc/mozalloc.cpp:51
#2 0x7f2cdc66245d in operator delete(void*) src/../../dist/include/mozilla/mozalloc.h:224
#3 0x7f2cd0152d6b in mozilla::layers::Layer::Release() src/gfx/layers/Layers.h:514
#4 0x7f2cd0161f65 in ~nsRefPtr src/../../dist/include/nsAutoPtr.h:874
#5 0x7f2cd0113bf6 in ~nsRefPtr src/../../dist/include/nsAutoPtr.h:872
#6 0x7f2cdc7e2023 in ~LayerPropertiesBase src/gfx/layers/LayerTreeInvalidation.cpp:89
#7 0x7f2cdc7e918a in mozilla::layers::ContainerLayerProperties::~ContainerLayerProperties() src/gfx/layers/LayerTreeInvalidation.cpp:166
#8 0x7f2cdc7e7686 in mozilla::layers::ContainerLayerProperties::~ContainerLayerProperties() src/gfx/layers/LayerTreeInvalidation.cpp:166
#9 0x7f2cdc7e77bc in mozilla::layers::ContainerLayerProperties::~ContainerLayerProperties() src/gfx/layers/LayerTreeInvalidation.cpp:166
#10 0x7f2cdc7e23ff in ~nsAutoPtr src/../../dist/include/nsAutoPtr.h:71
#11 0x7f2cdc7e2136 in ~nsAutoPtr src/../../dist/include/nsAutoPtr.h:70
#12 0x7f2cdc7ea106 in nsTArrayElementTraits<nsAutoPtr<mozilla::layers::LayerPropertiesBase> >::Destruct(nsAutoPtr<mozilla::layers::LayerPropertiesBase>*) src/../../dist/include/nsTArray.h:360
#13 0x7f2cdc7e9f81 in nsTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, nsTArrayDefaultAllocator>::DestructRange(unsigned int, unsigned int) src/../../dist/include/nsTArray.h:1225
#14 0x7f2cdc7e99e8 in nsTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned int, unsigned int) src/../../dist/include/nsTArray.h:945
#15 0x7f2cdc7e9702 in nsTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, nsTArrayDefaultAllocator>::Clear() src/../../dist/include/nsTArray.h:956
#16 0x7f2cdc7e95ce in ~nsTArray src/../../dist/include/nsTArray.h:442
#17 0x7f2cdc7e94b9 in nsAutoArrayBase<nsTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, nsTArrayDefaultAllocator>, 1u>::~nsAutoArrayBase() src/../../dist/include/nsTArray.h:1303
#18 0x7f2cdc7e93a9 in nsAutoTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, 1u, nsTArrayDefaultAllocator>::~nsAutoTArray() src/../../dist/include/nsTArray.h:1357
#19 0x7f2cdc7e9296 in nsAutoTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, 1u, nsTArrayDefaultAllocator>::~nsAutoTArray() src/../../dist/include/nsTArray.h:1357
#20 0x7f2cdc7e917d in mozilla::layers::ContainerLayerProperties::~ContainerLayerProperties() src/gfx/layers/LayerTreeInvalidation.cpp:166
#21 0x7f2cdc7e7686 in mozilla::layers::ContainerLayerProperties::~ContainerLayerProperties() src/gfx/layers/LayerTreeInvalidation.cpp:166
#22 0x7f2cdc7e77bc in mozilla::layers::ContainerLayerProperties::~ContainerLayerProperties() src/gfx/layers/LayerTreeInvalidation.cpp:166
#23 0x7f2cdc7e23ff in ~nsAutoPtr src/../../dist/include/nsAutoPtr.h:71
#24 0x7f2cdc7e2136 in ~nsAutoPtr src/../../dist/include/nsAutoPtr.h:70
#25 0x7f2cdc7ea106 in nsTArrayElementTraits<nsAutoPtr<mozilla::layers::LayerPropertiesBase> >::Destruct(nsAutoPtr<mozilla::layers::LayerPropertiesBase>*) src/../../dist/include/nsTArray.h:360
#26 0x7f2cdc7e9f81 in nsTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, nsTArrayDefaultAllocator>::DestructRange(unsigned int, unsigned int) src/../../dist/include/nsTArray.h:1225
#27 0x7f2cdc7e99e8 in nsTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned int, unsigned int) src/../../dist/include/nsTArray.h:945
#28 0x7f2cdc7e9702 in nsTArray<nsAutoPtr<mozilla::layers::LayerPropertiesBase>, nsTArrayDefaultAllocator>::Clear() src/../../dist/include/nsTArray.h:956
#29 0x7f2cdc7e95ce in ~nsTArray src/../../dist/include/nsTArray.h:442
previously allocated by thread T0 here:
#0 0x4c4bb0 in __interceptor_malloc ??:0
#1 0x7f2ce99aa6da in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:57
#2 0x7f2cdc65f24c in operator new(unsigned long) src/../../dist/include/mozilla/mozalloc.h:200
#3 0x7f2cd012f046 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList const&, mozilla::FrameLayerBuilder::ContainerParameters const&, gfx3DMatrix const*) src/layout/base/FrameLayerBuilder.cpp:2797
#4 0x7f2cd0437bea in nsDisplayOpacity::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::FrameLayerBuilder::ContainerParameters const&) src/layout/base/nsDisplayList.cpp:2574
#5 0x7f2cd0138304 in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2125
#6 0x7f2cd01308cb in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList const&, mozilla::FrameLayerBuilder::ContainerParameters const&, gfx3DMatrix const*) src/layout/base/FrameLayerBuilder.cpp:2870
#7 0x7f2cd0437bea in nsDisplayOpacity::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::FrameLayerBuilder::ContainerParameters const&) src/layout/base/nsDisplayList.cpp:2574
#8 0x7f2cd0138304 in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2125
#9 0x7f2cd01308cb in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList const&, mozilla::FrameLayerBuilder::ContainerParameters const&, gfx3DMatrix const*) src/layout/base/FrameLayerBuilder.cpp:2870
#10 0x7f2cd0437bea in nsDisplayOpacity::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::FrameLayerBuilder::ContainerParameters const&) src/layout/base/nsDisplayList.cpp:2574
#11 0x7f2cd0138304 in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2125
#12 0x7f2cd01308cb in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList const&, mozilla::FrameLayerBuilder::ContainerParameters const&, gfx3DMatrix const*) src/layout/base/FrameLayerBuilder.cpp:2870
#13 0x7f2cd0459f98 in nsDisplayTransform::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::FrameLayerBuilder::ContainerParameters const&) src/layout/base/nsDisplayList.cpp:3737
#14 0x7f2cd0138304 in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2125
#15 0x7f2cd0136f9e in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2063
#16 0x7f2cd01308cb in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList const&, mozilla::FrameLayerBuilder::ContainerParameters const&, gfx3DMatrix const*) src/layout/base/FrameLayerBuilder.cpp:2870
#17 0x7f2cd043d7f2 in nsDisplayOwnLayer::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::FrameLayerBuilder::ContainerParameters const&) src/layout/base/nsDisplayList.cpp:2670
#18 0x7f2cd0138304 in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2125
#19 0x7f2cd0136f9e in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2063
#20 0x7f2cd0136f9e in mozilla::(anonymous namespace)::ContainerState::ProcessDisplayItems(nsDisplayList const&, mozilla::FrameLayerBuilder::Clip&, unsigned int) src/layout/base/FrameLayerBuilder.cpp:2063
#21 0x7f2cd01308cb in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList const&, mozilla::FrameLayerBuilder::ContainerParameters const&, gfx3DMatrix const*) src/layout/base/FrameLayerBuilder.cpp:2870
#22 0x7f2cd0406598 in nsDisplayList::PaintForFrame(nsDisplayListBuilder*, nsRenderingContext*, nsIFrame*, unsigned int) const src/layout/base/nsDisplayList.cpp:1043
#23 0x7f2cd0404a71 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) const src/layout/base/nsDisplayList.cpp:966
#24 0x7f2cd0592718 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, unsigned int) src/layout/base/nsLayoutUtils.cpp:1743
Shadow byte and word:
0x1fe59461bd90: fd
0x1fe59461bd90: fd fd fd fd fd fd fd fd
More shadow bytes:
0x1fe59461bd70: fd fd fd fd fd fd fd fd
0x1fe59461bd78: fd fd fd fd fd fd fd fd
0x1fe59461bd80: fa fa fa fa fa fa fa fa
0x1fe59461bd88: fa fa fa fa fa fa fa fa
=>0x1fe59461bd90: fd fd fd fd fd fd fd fd
0x1fe59461bd98: fd fd fd fd fd fd fd fd
0x1fe59461bda0: fd fd fd fd fd fd fd fd
0x1fe59461bda8: fd fd fd fd fd fd fd fd
0x1fe59461bdb0: fd fd fd fd fd fd fd fd
Stats: 287M malloced (322M for red zones) by 578793 calls
Stats: 51M realloced by 34254 calls
Stats: 259M freed by 418404 calls
Stats: 127M really freed by 231892 calls
Stats: 524M (134240 full pages) mmaped in 131 calls
mmaps by size class: 8:311277; 9:40955; 10:16380; 11:14329; 12:3072; 13:2048; 14:1280; 15:384; 16:1024; 17:1248; 18:256; 19:40; 20:20;
mallocs by size class: 8:489956; 9:45848; 10:15591; 11:17143; 12:2917; 13:2322; 14:1756; 15:345; 16:1275; 17:1309; 18:269; 19:41; 20:21;
frees by size class: 8:345650; 9:37433; 10:12423; 11:13921; 12:2162; 13:2141; 14:1569; 15:303; 16:1213; 17:1292; 18:240; 19:39; 20:18;
rfrees by size class: 8:200957; 9:13489; 10:3075; 11:9727; 12:989; 13:793; 14:857; 15:215; 16:947; 17:812; 18:26; 19:4; 20:1;
Stats: malloc large: 1640 small slow: 2758
==24628== ABORTING
|
Assignee | |
Comment 4•12 years ago
|
||
Thanks so much for the testcases! Looks like this was a merged nsDisplayOpacity that then becomes two separate nsDisplayOpacity items. We have recorded DisplayItemData for both frames, and then we return the same ContainerLayer for each items separately. Panic ensues.
Attachment #667177 -
Flags: review?(roc)
|
|
Assignee | |
Comment 5•12 years ago
|
||
Fairly sure this is the same problem as bugs 795728 and 795889 too.
|
|
Reporter | |
Comment 6•12 years ago
|
||
Can i be cced on 795889.
Attachment #667177 -
Flags: review?(roc) → review+
|
|
Assignee | |
Comment 7•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/0c23e26472bb
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Can we land these tests as crashtests? I think this is going to make life easier in the refactoring ;).
|
||
Comment 14•12 years ago
|
||
Matt - is this related to DLBI? We're trying to figure out if the ESR10 branch is affected.
|
||
Comment 15•12 years ago
|
||
(In reply to Abhishek Arya from comment #6) > Can i be cced on 795889. That's a crash in a private project that we can't add you to. There's no new information there about the crash though so you're not missing anything. The fix is here.
Blocks: dlbi
status-firefox-esr10:
--- → unaffected
status-firefox17:
--- → unaffected
status-firefox18:
--- → fixed
tracking-firefox18:
--- → +
|
|
Assignee | |
Comment 16•12 years ago
|
||
Alex: Yes it is.
|
||
Updated•12 years ago
|
Assignee: nobody → matt.woodrow
|
||
Updated•12 years ago
|
status-firefox-esr17:
--- → unaffected
Whiteboard: [asan] → [asan][adv-main18+]
|
|
||
Updated•11 years ago
|
Group: core-security
|
|
||
Updated•7 years ago
|
Keywords: csectype-uaf
You need to log in
before you can comment on or make changes to this bug.
Description
•